coinpedia.org
A series of hacks has occurred. The latest victim was Sonne Finance, a decentralised lending protocol that works on Optimism and Base. The protocol has been hacked for at least $20 million. The attack planned through a vulnerability typical of the Compound Finance forks, has created a storm in the DeFi community.
Sonne Finance immediately closed all markets on the Optimism platform in reaction to the hack and made sure that the funds on Base were safe from the attack.
All markets on Optimism have been paused.
— Sonne Finance (@SonneFinance) May 15, 2024
Markets on Base are safe.
We'll provide more information with time.
Details of the Exploit
PeckShield, a blockchain security firm, says Sonne Finance was attacked by a hacker who used a known vulnerability in the forks of Compound Finance. This glitch enabled the attacker to withdraw about $20 million from Sonne Finance’s smart contracts on the Optimism network.
Hi @SonneFinance: Please double check your timelock contract and the loss is now more than $20m.
— PeckShield Inc. (@peckshield) May 15, 2024
Understanding the Exploitation Technique
Sonne Finance, the derivative of Compound V2, was linked to certain weaknesses which were inherited from its codebase. Hundred Finance and Midas Capital were the victims of DeFi hacks last year and the same vulnerabilities have been used in the previous DeFi hacks.
In these attacks, the malicious actors manipulate the exchange rates to increase the collateral values artificially so that they drain the pools of lending with few tokens.
The Sonne Finance exploit was possible due to the implementation of a new market contract for VELO and a later governance proposal to activate it. Once the proposal was passed, the attacker smartly executed the contract right after the completion of the 24-hour timelock, hence, he was the first one to benefit from the exploit.
Response and Recovery Efforts
After the exploit, Sonne Finance took the necessary step of stopping all the Optimism markets to limit the damage. The Base market remained safe and stable.
In their post-mortem of the incident, Sonne Finance put out a list of wallet addresses that belonged to the manipulator in an attempt to find the culprit. The team stressed their continuous efforts to retrieve the stolen funds, including offering a bug bounty, tapping into the support of the whole crypto community, and engaging with the relevant stakeholders.
There are many versions of Compound V2 already in circulation; hence, security protocols should be the priority, which includes regular audits and timely vulnerability patches.